coreos · HuijingHei · Oct 15, 2024
diff --git a/modules/ROOT/pages/provisioning-azure.adoc b/modules/ROOT/pages/provisioning-azure.adoc
@@ -83,3 +83,104 @@ az vm create -n "${az_vm_name}" -g "${az_resource_group}" --image "${az_image_na
 ----
 ssh core@<ip address>
 ----
+
+== Launching a Confidential VM instance
+
+Note: For an overview about confidential VMs on Azure see https://learn.microsoft.com/en-us/azure/confidential-computing/confidential-vm-overview[confidential VM overview].
+
+To launch a confidential VM, we need to build image that supports confidential VMs using https://learn.microsoft.com/en-us/azure/virtual-machines/azure-compute-gallery[Azure Compute Gallery].
+
+. Example create gallery image that supports confidence
+[source, bash]
+----
+# Create an image gallery
+gallery_name="mygallery"
+az sig create --resource-group "${az_resource_group}" --gallery-name "${gallery_name}"
+
+# Create a gallery image definition
+gallery_image_definition="mygallery-def"
+az sig image-definition create \
+    --resource-group "${az_resource_group}" \
+    --gallery-name "${gallery_name}" \
+    --gallery-image-definition "${gallery_image_definition}" \
+    --publisher azure \
+    --offer example \
+    --sku standard \
+    --features SecurityType=ConfidentialVmSupported \
+    --os-type Linux \
+    --hyper-v-generation V2
+
+# get the source VHD URI of OS disk
+os_vhd_storage_account=$(az storage account list -g ${az_resource_group} | jq -r .[].id)
+
+# Create a new image version
+gallery_image_version="1.0.0"
+az sig image-version create \
+    --resource-group "${az_resource_group}" \
+    --gallery-name "${gallery_name}" \
+    --gallery-image-definition "${gallery_image_definition}" \
+    --gallery-image-version "${gallery_image_version}" \
+    --os-vhd-storage-account "${os_vhd_storage_account}" \
+    --os-vhd-uri https://${az_storage_account}.blob.core.windows.net/${az_container}/${az_image_blob}
+----
+
+To launch a confidential FCOS instance specify the confidential compute type, and a related https://learn.microsoft.com/en-us/azure/confidential-computing/virtual-machine-options[machine type] that supports confidential compute.
+
+From the command-line, use `--security-type ConfidentialVM` and `--size`.
+
+. Example launching a Confidential VM instance
+[source, bash]
+----
+vm_name="my-fcos-cvm"
+ignition_path="./config.ign"
+
+# Specify the size that supports confidence (using AMD SEV-SNP)
+vm_size="Standard_DC2as_v5"
+
+# Get gallery image id
+gallery_image_id=$(az sig image-version show --gallery-image-definition "${gallery_image_definition}" --gallery-image-version "${gallery_image_version}" --gallery-name "${gallery_name}" --resource-group $az_resource_group | jq -r .id)
+
+# Create VM using generated Gallery image
+az vm create \
+    --name "${vm_name}" \
+    --resource-group $az_resource_group \
+    --size "${vm_size}" \
+    --image "${gallery_image_id}" \
+    --admin-username core \
+    --generate-ssh-keys \
+    --custom-data "$(cat ${ignition_path})" \
+    --enable-vtpm true \
+    --public-ip-sku Standard \
+    --security-type ConfidentialVM \
+    --os-disk-security-encryption-type VMGuestStateOnly \
+    --enable-secure-boot true
+----
+
+Note: We pass parameter `--enable-secure-boot true` to enable the secure boot, update the value to `false` to disable secure boot should .
+
+. Example Confidential VM Boot Verification
+[source, bash]
+----
+ssh core@<ip address>
+# Confirm the VM is using `AMD SEV-SNP` confidential type
+sudo systemd-detect-virt --cvm
+sev-snp
+
+# Confirm the VM is using `Intel TDX` confidential type
+sudo systemd-detect-virt --cvm
+tdx
+----
+
+Note: Another way to confirm is looking at "Group B" and see that it ends with 2 (`HV_ISOLATION_TYPE_SNP`), or ends with 3 (`HV_ISOLATION_TYPE_TDX`).
+
+. Example Confidential VM Boot Verification by checking dmesg log
+[source, bash]
+----
+# `AMD SEV-SNP` confidential type
+dmesg | grep "Hyper-V: Isolation Config"
+[    0.000000] Hyper-V: Isolation Config: Group A 0x1, Group B 0xba2
+
+# `Intel TDX` confidential type
+dmesg | grep "Hyper-V: Isolation Config"
+[    0.000000] Hyper-V: Isolation Config: Group A 0x1, Group B 0xbe3
+----